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Abstract. Lai and Chaturvedi proposed two authentication sche- 
mes presumably based on the difficulty of the Root Problem in the 
braid group. We describe a deterministic linear time algorithm to 
crack the first scheme, and show that the second scheme is not more 
secure than schemes based on the Conjugacy Search Problem, and 
can therefore be cracked by existing heuristic attacks with very 
good success probability, as long as the parameters are practical. 



1. The first authentication scheme 

Lai and Chaturvedi propose in [6] two authentication schemes based 
on the difficulty of the Root Problem in the braid group. The basic defi- 
nitions are given in [6] . Their first scheme is defined as follows. We work 
in the braid group B n where n is even. In the sequel, multiplication 
of elements of B n means concatenation and reduction to left canonical 
form. Let LB n = (a x , . . . , a n/2 -i) and UB n = (a n/2+ i, . . . , a n ). 

Key Generation. Alice chooses integers r, s > 2, a G LB n , and b G 
UB n . The public key is (X = a r b s , r, s), and the secret key is (a, b). 

Authentication. Bob chooses c G UB n and d G LB n , and sends Alice 
the challenge Y = c r d s . Alice responds with (a hash image of) Z = 
a r Yb s . Bob verifies that Z = c r Xd s . 

It is argued in [6] that the scheme is secure if the Root Problem of 
finding x given x r (r > 2 fixed) in B n is difficult. 

The first observation is that extraction of roots is not necessary in 
order to crack this scheme. 

Claim 1. If one can, given xy where x G LB n , and y G UB n , find 
(x,y), then one can authenticate as Alice. 

Proof. Take x = a r and y = b s . Then xy is known. Find (x,y) = 
(a r , b s ), and note that this suffices for the authentication. □ 
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Claim [T] together with the following proposition implies that the 
scheme is insecure. 

Proposition 2. Given xy where x G LB n , and y G UB n , there is an 
efficient algorithm to find (x, y). 

Proof (sketch). The approach adopted here was suggested to us by 
Shmuel Kaplan. We merely had to prove that it works. 

Given a braid w G B n containing a strand starting at position i, there 
is a well-defined braid Ti(w) G B n _i obtained by removing that strand 
from the braid w (and enumerating the starting an ending positions in 
the unique order-preserving manner). Note that r,(w) can be computed 
in time polynomial in n and the number of Artin generators used to 
write w. 

Similarly, for a set I C {1, . . . , n}, we can define 77 (u>) G B n _^ to be 
the braid obtained by removing all strands starting at positions which 
are members of J (and then re-enumerating the starting and ending 
positions in an order-preserving manner). 

Assume that x G LB n and y G UB n , and we are given a represen- 
tative a of the homotopy class of xy. a is homotopically equivalent to 
the braid b which is the side-by-side concatenation of (represetatives 
of the homotopy classes of) x and y. Let / = {n/2 + 1, . . . , n}. Then 
77(a) is homotopically equivalent to 77(6) (the same homotopy works). 
But 77(6) = x. 

In summary, given xy, compute z = rj(xy). Then (in B n ) z = x, 
and we can compute x" 1 (xy) = y. □ 

The attack works for any group G with LB n and UB n replaced by 
any two commuting subgroups L, U of G with L Pi U — {e}, provided 
that for each x G L and each y G C7 , x and y can be efficiently recovered 
from their product xy (note that the condition L n U = {e} guarantees 
that such a decomposition is unique). This is the case, for example, 
with the subgroups A s , B s of Thompson's group F, defined in Shpilrain- 
Ushakov's paper [9] (see the proof of Proposition 1 of [9]). 

Gonzalez- Vasco has pointed out to us that if L, U above, and 

in addition either L or U is a normal subgroup of G, then for each 
known w G G, xwy can be efficiently (and uniquely) decomposed: If 
L is a normal subgroup of G, then w~ 1 xw G L, and therefore we 
can decompose w~ 1 xwy into w^xw and y (and then recover x from 
w _1 x7f ). The case that U is a normal subgroup of G is treated similarly. 

2. The second authentication scheme 
Lai and Chaturvedi also propose a second scheme in [6], Scheme II: 
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Key Generation. Alice chooses integers r, s > 2, a G LB n , and c G -B n . 
The public key is (X = a r ca s , c, r, s), and the secret key is a. 

Authentication. Bob chooses 6 G t/-B n , and sends Alice the challenge 

Y = b r cb s . Alice responds with (a hash value of) Z = a r Ya s . Bob 
verifies that Z = b r Xb s . 

The attack of Section 1 does not apply to Scheme II. To crack this 
scheme, it suffices to solve the following Decomposition Problem: 

Given xcy where x, y G LB n are unknown and c G B n 
is known, find x, y G LB„ such that xcy = xcy. 

In principle, the generic attack described in [3], [8] applies to this prob- 
lem, and it seems that for practical parameters required to make the 
system usable, its success probability will not be negligible. However, 
the generic attack is much more time consuming than the one suggested 
in Section 1, and to evaluate its feasibility, it must be tested against 
practical parameters, which so far have not been suggested. 

We therefore consider again the original Scheme II. Here too, the 
powers are irrelevant for our discussion, so we consider instead the 
following Generalized Scheme II: Fix a group G and subgroups A, B 
of G such that A, B commute elementwise. 

Key Generation. Alice chooses a 1; a 2 G A, and c G G. The public key 
is (X = a 1 ca 2 , c). 

Authentication. Bob chooses 61,62 G B, and sends Alice the challenge 

Y = b\cb<i- Alice responds with (a hash value of) Z = a{Ya2. Bob 
verifies that Z = 61X62. 

In order to crack Generalized Scheme II, it suffices to solve the fol- 
lowing. 

Problem 3. Given c, X = aica 2 , and Y = b x cb 2 such that ai,a 2 G A 
and 61, 62 G B, find Z = a\Ya 2 = b\Xb 2 . 

More precisely, the elements a 1 ,a 2 ,bi,b 2 ,c are chosen according to 
known distributions on the relevant spaces (A, B, and G), and one has 
to find Z with a significant probability. Similar probabilistic adapta- 
tions can be made to all assertions in the sequel, but for clarity we 
often omit those. 

Lemma 4. Consider an instance of Problem // either bi or b 2 
is known to commute with c, then Z can be computed efficiently by 
anyone. 
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Proof. If bi c = cbi, then cb\b 2 = b\cb 2 = Y is known, and therefore so 
is bi b 2 . It follows that 

Z = a{Ya 2 = a\b\cb 2 a 2 = a\cb\b 2 a 2 = a 1 ca 2 bib 2 = X{bib 2 ) 

is known. The case where 62c = cb 2 is similar. □ 

Remark 5. Note that in the original Scheme II, 61,62 are both powers 
of the same element b £ B, and if b commutes with c, then both b\ and 
62 commute with c. It could, however, be the case that b r commutes 
with c, but b s does not: In B n , the fundamental element A does not 
commute with all elements, but its square A 2 does. 

As the roles of (a 1; a 2 , Y) and (pi, b 2 , X) in Problem [3] are symmetric, 
Lemma H] implies the following. 

Lemma 6. Consider an instance of Problem 0. // either a\ or a 2 
is known to commute with c, then Z can be computed efficiently by 
anyone. □ 

Assume now that Bob generates b\ , b 2 in a way that with a nontrivial 
probability p, either b\ or b 2 commute with c. Then, in about 2/p tries, 
false identification is possible: In each try, the pretender flips a coin to 
guess whether b\ or b 2 commutes with c, and uses Lemma HI This will 
succeed with probability p/2. 

But actually, one could heuristically check whether b\ or b 2 commute 
with c. By Lemma El if c commutes with all elements of A (or com- 
mutes, with probability close to 1, with the elements of A generated 
in the protocol, a fact that can be verified experimentally), then the 
system is insecure. Thus, we may assume that it is easy to generate 
elements a £ A which do not commute with c. Fix such an element a. 
Compute 

W = (6 1 cfe 2 )a(6ic6 2 )- 1 = b x cb 2 ab 2 A c'% 1 = 

= bicab^ 1 c^b^ 1 = bicac^b^ 1 . 

If b\c = cbi, then 

W = cbiac~ 1 b^ 1 = cabic~ 1 b^ 1 = cac~ 1 bib^[ 1 = cac~ x , 

which can be verified as we know a and c. And if not, then it is unlikely 
that W = cac' 1 , that is, that bidbi 1 = d, where d = cac~ l . The last 
assertion just tells that cac" 1 commutes with b\. 
A similar argument applies for b 2 . Computing 

U = (bicb 2 )" a(bicb 2 ) = (&ic6 2 ) 1 a(picb 2 ) = b^ ] L c~ 1 acb 2 , 

we have that if 62c = cb 2 , then U = c~ x ac y and otherwise, this is 
unlikely, as U = c~ x ac if, and only if, b 2 commutes with c _1 ac. 
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We arrive at the following. 

Lemma 7. In instances of Problem 0, if it is easy to find elements 
a £ A such that with a high probability, cac~ l (respectively, c~ l ac) does 
not commute with hi (respectively, b 2 ), then it can be checked with high 
certainty whether b\c = cb\ (respectively, b 2 c = cb 2 ). □ 

In practical settings where c does not commute with all elements 
of A, it is likely that any generic enough element of A will have the 
properties required in Lemma H Moreover, since we can repeat the 
test of commutation for many distinct a's, the "high probability" in 
Lemma [7] does not seem necessary. 

By symmetry, if c commutes with any of a±, a 2 , then this can also 
be detected heuristically, and by Lemmas [6] and HJ false identification 
is possible in these cases, either. 

We may therefore assume that none of the generated elements com- 
mutes with c. In particular, there are many a £ A which do not 
commute with c. 

The following approach is inspired by the beautiful observations used 
by Chowdhury in a different context [2]. For the elements a which do 
not commute with c, we obtain as above the equation 

W = hdb^ 1 

with d = cac~ l being a rather generic element of G. Similarly, we can 
obtain conjugacy equations for b 2 , ai, and a 2 . This reduces the problem 
to the (strict) Simultaneous Conjugacy Search Problem: 

Given many equations W = xdx~ x where x G B is un- 
known and d G G is known, find x (modulo the center 
of G). 

To see that this suffices, consider an instance of Problem [31 and assume 
that h,g G G are central (i.e., commute with all elements of G), and 
that hb\,gb2 are known. Then 

(hbMgh) ■ Y- 1 = (hg)(b lC b 2 ) ■ Y~ l = (hg)Y ■ Y' 1 = hg 

can be computed, and therefore so can 

(hgy^hb^Xigh) = g-\Xgb 2 = g- x gb x Xb 2 = b x Xb 2 = Z. 

Moreover, it suffices to know either of b\ or b 2 modulo the center of G 
in order to find the other modulo the center of G. Indeed, if h is in the 
center of G and b\h is known, then 

c- 1 (&i/0~ 1 y = c^ihhyXcbz = c~ 1 h~ 1 cb 2 = c~ l ch- l b 2 = h-% 



6 



BOAZ TSABAN 



can be computed, and is equal to b 2 modulo the center of G. The case 
that b 2 is known modulo the center of G is treated similarly. 

In principle, there could exist a solution to the given equations W = 
xdx^ 1 which is not equal to x modulo the center of G, but this seems to 
be unlikely in nontrivial scenarios. Indeed, if x G B is another solution 
to all of these equations, then for each d used in the equations, xdx^ 1 = 
xdx~ l , and therefore x~ l x commutes with d. Since the attacker can 
generate as many such equations as desired and the elements d look 
rather generic, it follows that x~ l x is likely to belong to the center G, 
and therefore x is equal to x modulo the center of G. 

This shows, heuristically, that Generalized Scheme II is not likely 
to be more secure than schemes based on the simultaneous conjugacy 
search problem. 

We now move back to the original setting, where G = B n is the 
braid group. There are a variety of efficient heuristic algorithms for 
the simultaneous conjugacy search problem in B n , which have very 
good success rates [SI El- Moreover, since we can choose many elements 
a G A, we can produce as many families of conjugacy equations for b\ 
(or for 6 2 5 a i or a 2 ) as we need and it suffices to solve correctly (modulo 
the group's center) one such family of equations, the probability of 
success of the mentioned methods should get very close to 1 . 

This suggests that in practical settings, Scheme II is likely to be 
insecure, either. 

Acknowledgments. We thank Maria Isabel Gonzalez- Vasco and Dima 
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root problem in the braid group, see [I]. 
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